$500,000 in bitcoin ransom recovered by FBI

$500,000 in bitcoin paid to Maui ransomware gang recovered by FBI

Image:
$500,000 in bitcoin paid to Maui ransomware gang recovered by FBI

$500,000 in bitcoin, intended for North Korean ransomware hackers was seized by the FBI yesterday

Bitcoin worth $500,000 paid to cyber actors from North Korea was intercepted by the FBI, the agency said yesterday in a statement.

Since the beginning of July, the FBI and CISA have focused on cyber actors using the Maui ransomware strain to target western organisations, using encryption attacks. Maui has been used against public health and healthcare companies in particular, often causing severe and life-threatening situations due to the service outages.

The ransomware first came under investigation, according to an announcement by the US Department of Justice, announcement after a security incident report was sent to the FBI by a Kansas hospital.

Lisa Monaco, the Deputy Attorney General stated; "Thanks to rapid reporting and co-operation from the victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as Maui, not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain."

The hospital had apparently paid around $100,000 in May 2021 to the ransomware group behind Maui to restore their IT network after the initial encryption attack, and due to the hospital filing a report with the FBI practically immediately, another payment for about $120,000 was tracked soon after, coming from a Colorado medical provider.

An undisclosed number of payments, along with the two listed payments above totalling to $280,000 were seized two months ago in May 2022, bringing the total amount of bitcoin payments seized to be around half a million USD.

The statement does not name the group involved, but North Korean government-linked hacking groups frequently use ransomware to raise funds, as the country is subject to strict embargoes. The actors use sophisticated techniques to infiltrate their targets, including using Windows Update and GitHub to infect PCs at defence firm Lockheed Martin. One group, Lazarus, has been accused of stealing of more than $600 million in Ethereum and USDC stablecoins in the Ronin hack in March.